Phishing Campaign Targets Crypto & Healthcare with ScreenConnect

Cyble Research and Intelligence Labs (CRIL) has uncovered a sophisticated phishing campaign actively exploiting ConnectWise ScreenConnect, a widely-used remote support and administration tool. Threat actors (TAs) are employing elaborate phishing websites and subdomain takeover techniques to trick victims into downloading malicious ScreenConnect clients. This allows TAs to gain unauthorized system access, posing severe risks of data theft, malware deployment, and critical infrastructure disruption. Analysis indicates a primary focus on cryptocurrency enthusiasts and healthcare organizations within the United States.

Campaign Overview

ScreenConnect, developed by ConnectWise, is revered for its versatility across Linux, Windows, and Mac systems, offering IT professionals the tools necessary for remote desktop viewing, file transfers, and comprehensive administrative tasks. Its ability to mimic physical presence on a client’s device makes it an invaluable asset for Managed Service Providers (MSPs) and IT departments. However, this very capability has caught the attention of threat actors (TAs), who have found a way to exploit ScreenConnect’s functionalities for malicious purposes.

CRIL’s researchers have identified two distinct yet interlinked phishing tactics:

1. Impersonating Cryptocurrency Platforms: Websites like “hxxps://rollecoin[.]online/”, and others hosted on the “minerclouds[.]xyz” domain, closely mimic legitimate cryptocurrency services. They entice users with promises of free coins or rewards for playing games but instead deliver ScreenConnect clients disguised with names referencing cryptocurrencies.

   

   Several phishing sites hosted on a single domain | Image: CRIL

2. Subdomain Takeover in the Healthcare Sector: Phishing sites such as “sgacor.kenparkmdpllc[.]com”, masquerading as a US-based healthcare clinic, demonstrate the threat of subdomain takeover. In these cases, TAs compromise vulnerable subdomains of legitimate websites to host their malicious content, increasing the illusion of authenticity.

   

   Phishing site 1 targeting healthcare entities | Image: CRIL

Technical Analysis: From Download to Compromise

• Initial Payload: Victims downloading from phishing sites typically receive a file named similarly to “Windows-Rollercoin.exe.” Analysis shows these are often self-extracting archives containing the ScreenConnect client.
• Deployment and Installation: Upon execution, a Microsoft Installer (MSI) file named “setup.msi” is extracted to the %temp% directory. This MSI installs the ScreenConnect service, configuring it with launch parameters that reveal unique details about the infection campaign to the TAs.
• Remote Control Capabilities: ScreenConnect offers a wide range of features that TAs can exploit, including remote desktop access, file transfer, user chat, and administrative tasks. This grants them significant control over compromised machines.

Potential Consequences

The abuse of ScreenConnect in this ongoing campaign carries severe ramifications:

• Data Exfiltration: TAs can steal sensitive information, including financial data, intellectual property, and healthcare records, leading to substantial financial losses, reputational damage, and regulatory fines.
• Ransomware Attacks: ScreenConnect can facilitate the deployment of ransomware, encrypting critical files and disrupting operations until a ransom is paid. This is particularly devastating in healthcare contexts, where downtime can directly impact patient care.
• Lateral Movement and Network Compromise: Compromised systems can be used as a beachhead for TAs to move laterally within a network, gaining access to even more sensitive data and systems.

Historical Context

This is not the first instance of ScreenConnect being used for malicious purposes. Previous documented incidents include potential exploitation by the Static Kitten threat group (2021), BlackCat/ALPHV ransomware deployment (2022), and attacks targeting healthcare organizations (2023).

Conclusion

The ongoing exploitation of ScreenConnect underscores the adaptability of threat actors and the need for constant vigilance. Organizations must prioritize proactive cybersecurity measures and continuous threat monitoring to safeguard critical systems and sensitive information from these persistent threats.